How to Clean Up a Hacked WordPress Website

At this point, we assume that there are known threats that need remediation, so we’ll get right to it. If you don’t have a vendor like WP Turned UP providing website maintenance and support, contact your website hosting provider to see what, if anything, they are willing or able to do for you.

Note: If you do contact your website host, pay close attention to what they are recommending. Ideally, the support staff should work with you, communicating what they are doing each step of the way.

If you decide to go at the cleanup on your own, perform each of the steps below until all threats are remediated.

Immediate Threat Remediation

Change the passwords for any and all accounts that have admin access for your WordPress install.

Establish a threat baseline by using FREE online scanners like Sucuri SiteCheck, Web Inspector, and VirusTotal. (Note: We recommend that you run tests from all of the listed scanners, as some have different strengths.)

Create a brand new backup of your website to salvage what you have left at the latest point in time, being sure to label the backup as “compromised”. (Note: If you have a backup from your web hosting provider or a 3rd party service like ManageWP, that may suffice in terms of freshness of the backup.)

Restore your website from a backup. (Note: While this is the simplest solution, it’s also not a likely solution unless your website is primarily a static website where the data and content rarely changes.)

If threats are found in any of the files on your site, a simple fix is to delete and replace them with clean versions by going to your WordPress Dashboard > Updates >Re-install Now. (Note: If your WordPress Dashboard is not available, you can install core WordPress files via FTP.)

Close the Door

All of these steps should be considered mandatory as part of good security practices, but especially after threats have been discovered.

Since threats can originate from your workstation, ensure that your workstation is clean prior to continuing the following remediations from that same workstation. (Note: If you’re on a Windows-based workstation, update the virus definitions by going to Settings > Updates and Security > Windows Update > Check for Updates and then run an offline virus scan by going to Settings > Windows Security > Virus & Threat Protection > Run a new advanced scan > Windows Defender Offline Scan.).

Install Core WordPress File Using FTP

Extract the full contents of the downloaded .zip file to your workstation.

Delete the wp-content folder.

Connect to your website via FTP and browse to the folder that corresponds to your website install. (Note: Typically, this is the folder named public_html.).

Upload the remaining files to the folder. (Note: Your FTP program should prompt you with a “Target file already exists” message. Select Overwrite, Always use this action, and Apply to current queue only.).

Since the wp-content folder was deleted prior to uploading, this will overwrite all of the core WordPress files without affecting any of your themes or plugins. Once the upload finishes, you should have a freshly installed copy of the WordPress core files and things are hopefully running smoothly.